Risk Assessment of a Container Build

ABSTRACT

An artificial intelligence (AI) platform to support optimization of container builds and virtual machine mounts in a distributed computing environment. A provisioning file is subject to natural language processing (NLP) and a corresponding vector representation of the file is created and subject to evaluation by a set of artificial neural networks (ANN). A first ANN assesses the representation of the file with respect to compliance and operability, and the second ANN selectively assesses the representation of the file with respect to provisioning efficiency. The provisioning file is selectively process based on the provisioning efficiency, with the processing directed at provisioning a container build or mounting a VM.

BACKGROUND

The present embodiments relate to risk assessment of a container build. More specifically, the embodiments relate to utilizing artificial intelligence to validate both code and data of a container image build prior to deploying the container in a runtime environment.

A container is an executable unit of software in which application code is packaged so that it can be run on different computing environments. The container(s) virtualize the operating system so that each individual container contains only the application and its libraries and dependencies. Containers share the machine operating system kernel, thereby eliminating the need for a full operating system instance per application, and further managing a size of the container. When containerizing an application, the process includes packaging an application with its relevant variables, configuration files, libraries, and software dependences. The result is a container image that can be run on a container platform.

A virtual machine (VM) is a virtual representation, or emulation, of a physical computer. Each VM has its own operating system and application, and multiple VMs may be supported on a single physical machine. The VM uses a software layer, referred to as a hypervisor, to coordinate with underlying physical hardware of the physical computer. The hypervisor allocates physical computer resources, such as processors, memory, and storage, to each virtual machine. In addition, the hypervisor maintains separation of VMs from each other to mitigate interference. Accordingly, each VM contains a guest operating system, a virtual copy of the hardware that the operating system requires to run, along with an application and its associated libraries and dependencies.

To satisfy compliance and risk, containers and VMs are validated against a container registry and an image, respectively. Validation of the container(s) and VM(s) occur according to a known set of databases. However, containers and VMs can have different types of software added by a user which may not be present in such databases. For example, a user might rename a layer in the container, build and package a custom library which is added to the container, or add binary artifacts for format unknown to the container registry. Container deployment is an action of pushing containers to their target environment. While a container might hold an entire application, most container deployments are in fact multi-container deployments which push multiple containers to the target environment. Deploying containers from unsecure and non-compliant images to a cloud container runtime with high severity vulnerabilities or non-compliant data handling can result in a security breach or significant monetary fines.

SUMMARY

The embodiments include a system, computer program product, and method for leveraging artificial intelligence to optimize container builds and virtual machine mounts. This Summary is provided to introduce a selection of representative concepts in a simplified form that are further described below in the Detail Description. This Summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used in any way that would limit the scope of the claimed subject matter.

In one aspect, a computer system is provided with a processing unit operatively coupled to memory, and an artificial intelligence (AI) platform operatively coupled to the processing unit. The AI platform supports optimization of container builds and virtual machine mounts in a distributed computing environment. The AI platform includes tools in the form of at least a representation manager and a neural network manager, with the tools configured with functionality to support and enable the optimization. The representation manager is configured to employ natural language processing to convert a receive metadata file associated with provisioning into one or more vector representations. The neural network manager is configured to identify a subject of the provisioning, and based on the identification to selectively leverage a first artificial neural network (ANN) to assign a first score to each processed vector representation. The first score conveys a compliance factor that corresponds to operability of the corresponding vector representation. In response to the assignment of the first score, the neural network manager selectively leverages a second ANN configured to assign a second score to the representation of the received metadata file. The second score corresponding to provisioning efficiency. The second score is leveraged by the processor to selectively provision either a corresponding container build or VM mount, with the provisioning of the container utilizing the first and second ANNs and the mounting of the VM limited to the second ANN.

In another aspect, a computer program product is provided to support optimization of container builds and virtual machine mounts in a distributed computing environment. The computer program product includes a computer readable storage medium having program code embodied therewith. Program code, which is executable by a processor, is provided to support and enable the optimization. More specifically, the program code employs natural language processing to convert a received metadata file associated with provisioning into one or more vector representations. Program code is provided to identify a subject of the provisioning, and based on the identification to selectively leverage a first artificial neural network (ANN) to assign a first score to each processed vector representation. The first score conveys a compliance factor that corresponds to operability of the corresponding vector representation. In response to the assignment of the first score, the program code selectively leverages a second ANN configured to assign a second score to the representation of the received metadata file. The second score corresponds to provisioning efficiency. The program code leverages the second score to selectively provision either a corresponding container build or VM mount, with the provisioning of the container utilizing the first and second ANNs and the mounting of the VM limited to the second ANN.

In yet another aspect, a method is provided to support optimization of container builds and virtual machine mounts in a distributed computing environment. The method includes employing natural language processing to convert a received metadata file associated with provisioning into one or more vector representations. A subject of the provisioning is identified, and based on the identification a first artificial neural network (ANN) is selectively leveraged to assign a first score to each processed vector representation. The first score conveys a compliance factor that corresponds to operability of the corresponding vector representation. In response to the assignment of the first score, a second ANN is leveraged and configured to assign a second score to the representation of the received metadata file. The second score corresponds to provisioning efficiency. A corresponding container build or VM mount is selectively provisioned based on the second score, with the provisioning of the container utilizing the first and second ANNs and the mounting of the VM limited to the second ANN.

These and other features and advantages will become apparent from the following detailed description of the presently preferred embodiment(s), taken in conjunction with the accompanying drawings.

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWINGS

The drawings reference herein forms a part of the specification. Features shown in the drawings are meant as illustrative of only some embodiments, and not of all embodiments, unless otherwise explicitly indicated.

FIG. 1 depicts a schematic diagram of a computer system to support and enable risk assessment of a provisioning file.

FIG. 2 depicts a block diagram illustrating the AI platform tools, as shown and described in FIG. 1, and their associated application program interfaces (APIs).

FIG. 3 depicts a flow chart illustrating a process for providing a risk assessment associated with provisioning by analyzing both code and metadata of a corresponding provisioning file using natural language processing (NLP).

FIG. 4 depicts a sample container build file illustrating a non-compliant metadata file.

FIG. 5 depicts a flow chart illustrating a process for providing a risk assessment directed at a VM image.

FIG. 6 depicts a block diagram illustrating an example of a computer system/server of a cloud based support system, to implement the system and processes described above with respect to FIGS. 1-5.

FIG. 7 depicts a block diagram illustrating a cloud computer environment.

FIG. 8 depicts a block diagram illustrating a set of functional abstraction model layers provided by the cloud computing environment.

DETAILED DESCRIPTION

It will be readily understood that the components of the present embodiments, as generally described and illustrated in the Figures herein, may be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the apparatus, system, method, and computer program product of the present embodiments, as presented in the Figures, is not intended to limit the scope of the embodiments, as claimed, but is merely representative of selected embodiments.

Reference throughout this specification to “a select embodiment,” “one embodiment,” or “an embodiment” means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment. Thus, appearances of the phrases “a select embodiment,” “in one embodiment,” or “in an embodiment” in various places throughout this specification are not necessarily referring to the same embodiment.

The illustrated embodiments will be best understood by reference to the drawings, wherein like parts are designated by like numerals throughout. The following description is intended only by way of example, and simply illustrates certain selected embodiments of devices, systems, and processes that are consistent with the embodiments as claimed herein.

In the field of AI computer systems, natural language processing (NLP) systems process natural language based on acquired knowledge. NLP is a field of AI that functions as a translation platform between computer and human languages. More specifically, NLP enables computers to analyze and understand human language. Natural Language Understanding (NLU) is directed at parsing and translating input according to natural language principles. Examples of such NLP systems are the IBM Watson® artificial intelligent computer system and other natural language question answering systems.

Machine learning (ML), which is a subset of AI, utilizes algorithms to learn from data and create foresights based on the data. ML is the application of AI through creation of models, for example, artificial neural networks that can demonstrate learning behavior by performing tasks that are not explicitly programmed. There are different types of ML including learning problems, such as supervised, unsupervised, and reinforcement learning, hybrid learning problems, such as semi-supervised, self-supervised, and multi-instance learning, statistical inference, such as inductive, deductive, and transductive learning, and learning techniques, such as multi-task, active, online, transfer, and ensemble learning.

Artificial neural networks (ANNs) are models of the way the nervous system operates. Basic units are referred to as neurons, which are typically organized into layers. The ANN works by simulating a large number of interconnected processing units that resemble abstract versions of neurons. There are typically three parts in an ANN, including an input layer, with units representing input fields, one or more hidden layers, and an output layer, with a unit or units representing target field(s). The units are connected with varying connection strengths or weights. Input data is presented to the first layer, and values are propagated from each neuron to neurons in the next layer. At a basic level, each layer of the neural network includes one or more operators or functions operatively coupled to output and input. The outputs of evaluating the activation functions of each neuron with provided inputs are referred to herein as activations. Complex neural networks are designed to emulate how the human brain works, so computers can be trained to support poorly defined abstractions and problems where training data is available.

A container image is a file that includes source code to run an isolated process. More specifically, the container image is a file comprised of multiple layers which can execute applications in a single instance. A container file is a text document that contains commands and arguments to build the container image. The container is a run-time instance of the container image(s). A container repository is used to store related container images. In an exemplary embodiment, container repositories can be used to manage, pull, or push, container images. A container registry stores multiple repositories of container images, as well as storing application program interface (API) paths and access control rules. However, container registries do not have the ability to scan custom source code and application artifacts. An application artifact is known in the art as a tangible by-product produced during development of software. Examples of an application artifact include, but are not limited to, application source code, testing code, application programming interface (API) specifications, application configurations, deployment scripts, and variables. The application artifacts require specific computer hardware needed to run the associated workload. In an exemplary embodiment, the specific or necessary computer hardware to support the application artifacts are referred to as a framework or hardware framework, and may include elements such as random access memory (RAM), central processing unit (CPU), graphics processing unit (GPU), etc. The computer hardware elements shown and described herein are for exemplary purposes and should not be considered limiting.

As shown and described, a computer system, program product, and method are provided for utilizing AI and ML to conduct a risk assessment of a container file prior to deploying the container, and in an embodiment the risk assessment is extended to one or more virtual machines prior to deploying the virtual machine(s).

Referring to FIG. 1, a schematic diagram of a computer system (100) is provided with tools to support risk assessment of a provisioning file. As shown, a server (110) is provided in communication with a plurality of computing devices (180), (182), (184), (186), (188), and (190) across a network connection (105). The server (110) is configured with a processor (112) in communication with memory (116) across a bus (114). The server (110) is shown with an artificial intelligence (AI) platform (150) to support risk assessment of a container file. More specifically, the AI platform (150) is configured with one or more tools to leverage an artificial neural network for provisioning containers and virtual machines. The computing devices (180), (182), (184), (186), (188), and (190) communicate with each other and with other devices or components via one or more wired and/or wireless data communication links, such as network (105), where each communication link may comprise one or more of wires, routers, switches, transmitters, receivers, or the like. In this networked arrangement, the server (110) and the network connection (105) enable communication detection, recognition, and resolution. Other embodiments of the server (110) may be used with components, systems, sub-systems, and/or devices other than those that are depicted herein.

The artificial intelligence (AI) platform (150) is shown herein configured to receive input (102) from various sources. For example, the AI platform (150) may receive input across the network (105) and leverage a knowledge base (160), also referred to herein as a corpus or data source, to support risk assessment prior to provisioning a container or a virtual machine. As shown by way of example, the knowledge base (160) is configured with two libraries, shown herein as library_(A) (162 _(A)) and library_(B) (162 _(B)). Although two libraries are shown, the quantity should not be considered limiting. With respect the container environment, the libraries are populated with vector representations corresponding to container builds. In the example shown herein, library_(A) (162 _(A)) populated with vector representations corresponding to container builds and library_(B) (162 _(B)) is populated with vector representations corresponding to virtual machine (VM) images. In an exemplary embodiment, whether a vector representation is compliant or non-compliant is determined based on an identifier attached to the vector representation. The vector representations are known elements of the container builds or VM image build represented in vector form. Although only two libraries are shown and described herein, the quantity should not be considered limiting, and in an exemplary embodiment, the knowledge base (160) may be configured with a plurality of libraries. For example, the container library (162 _(A)) may be in the form of two separate libraries, with a first of these libraries populated with representations of compliant container builds and a second of these libraries populated with representations of non-compliant container builds. As shown herein, library_(A) (162 _(A)) is populated with data in the form of vector representations, shown herein by way of example as vector_(A,0) (162 _(A,0)), vector_(A,1) (162 _(A,1)), and vector_(A,N) (162 _(A,N)). Library_(B) (162 _(B)) is populated with vector_(B,0) (162 _(B,0)), vector_(B,1) (162 _(B,1)), and vector_(B,N) (162 _(B,N)). The quantity of vectors (162 _(A,0)), (162 _(A,1)), (162 _(A,N)), (162 _(B,1)), (162 _(B,2)), and (162 _(B,N)) is for illustrative purposes and should not be considered limiting. The vector representations may represent both compliant and non-compliant vector representations of container builds or VM images.

The AI platform (150) is shown herein with several tools to support leveraging one or more neural networks to provide risk assessment with respect to provisioning of containers and virtual machines. The AI platform (150) tools are shown herein as a filter manager (152), a representation manager (154), and a neural network (NN) manager (156). The tools (152), (154), and (156) are operatively coupled, directly or indirectly, together, and provide the functions, as described below.

The filter manager (152) functions to provision either a virtual machine (VM) image or a container file, also referred to herein as a metadata file, associated with VM mount or a container image build. The filter manager (152) identifies whether it is the VM image or the container file that will be subject to provisioning. Responsive to the identification of a container file being received for provisioning, and before the container is provisioned, the metadata file is subject to at least a two part analysis by the filter manager. The filter manager (152) identifies container file components and image layers within the container build, and effectively separate the container file based on the identified components. The image layer, also referred to herein as a layer, is directed at an intermediate change of an image. Every command, such as Run, Copy, From, etc., in the container file causes a previous image to change, thereby creating a new layer. A change made to the container file will result in building only the layer that was changed and subsequent layers. In an embodiment, the identified and separated components may be in the form of data and source code, although these components should not be considered limiting. Other components subject to identification may include private keys to access data, custom code, and user added artifacts. Following the segmentation, the filter manager (152) applies a filter to the identified elements and their corresponding image layers in the various segments to effectively remove pre-approved or non-functional segmented elements from the second part of the analysis. For example, in an exemplary embodiment, comments and known dependencies, such as pre-approved libraries, are identified by the filter and are effectively removed from further analysis of the container file. In an embodiment, the filter may be utilized or a part of software code to identify elements within the container file that are subject to removal. Responsive to the identification of A VM image being the subject of the provisioning, the file manager (152) functions to apply segmentation and filtering to the file system of a VM image to remove pre-approved or non-functional aspects associated with the VM image build. Accordingly, the filter manager applies segmentation and filtering to remove pre-approved or non-functional aspects of the container file or VM image from risk assessment analysis.

As shown, the representation manager (154) is operatively coupled to the filter manager (152). The representation manager (154) functions to convert the segments and their corresponding image layers of the container file that remain after filtering into one or more vector representations effectively creating one or more image layer vector representations. In an exemplary embodiment, the representation manager (154) combines or otherwise converts the vector representations of the container file into a single, and in an embodiment extended, vector representation. In an embodiment, the representation manager functions to convert segments of the VM image into one or more vector representations and stores the vector representation(s) in a library, i.e. library_(B) (162 _(B)). Accordingly, the representation manager (154) converts the segments of the container image or the virtual machine image into one or more vector representations and stores the vector in a corresponding library.

The neural network (NN) manager (156) is shown herein operatively coupled to the representation manager (154). The NN manager (156) functions to subject the vector representation of the container file to analysis by an artificial neural network (ANN), also referred to herein as a first ANN. Aspects of the first ANN are discussed in greater detail in FIG. 3. The NN manager (156) leverages the first ANN to perform a similarity analysis of the container file to compliant representations, and in an embodiment to non-compliant representations, in the repository, i.e. library_(A) (162 _(A)). In an embodiment, the repository includes vector representations of compliant, and in an embodiment non-compliant, container builds, and the subject container file is represented in vector form as processed by the representation manager (154). In an exemplary embodiment and using the vector representations, the analysis by the NN manger (156) is a vector analysis between the container file representation and the vectors stored in library_(A) (162 _(A)), including stored vectors identified as compliant and non-compliant. The NN manager (156) conducts a distance measurement between container file representation and the vectors in the library. In an embodiment, the distance measure is referred to as a Euclidean distance. The NN manager (156) identifies and returns a vector from the repository, e.g. library_(A) (162 _(A)), that is closest to the container file vector representation that is the subject to the analysis. The identified vector may be previously designated as compliant or non-compliant, either by the library in which it is populated or via a corresponding identifier. In an embodiment, the analyzed container file is added to the repository (160) by the representation manager (154) after the assessment by the NN manager (156), with the added file identified as compliant or non-compliant. In an exemplary embodiment, the added file in the repository is leveraged by the first ANN in the form of additional data in a subsequent container file analysis. Accordingly, the NN manager (156) conducts an assessment and identifies a vector from the repository closest to the container file vector representation that is the subject of the analysis.

Output from the first ANN controls direction of the container provisioning. More specifically, the first ANN provides output indicating that the representation(s) of the container file are either compliant or non-compliant with respect to representations of container builds in the repository, which in an embodiment are vector or vector forms of the container builds. Responsive to the identified vector being designated as non-compliant, the NN manager (156) identifies a compliant vector representation that is closest to the container file vector representation to mitigate or avoid an error associated with the non-compliant vector identification. Using the closest identified compliant vector representation, the NN manager (156) performs a distance assessment, and more specifically it is ascertained whether the measured distance between the container file vector representation and the compliant vector is below a distance threshold. The distance threshold is a similarity threshold wherein the measured distance between two vectors is below the threshold is an indication that the vectors are similar or within a similarity range. If the distance measure of the selected vector is below the distance threshold, the NN manager (156) determines that identified compliant vector is deemed or considered similar. Accordingly, as shown herein, the NN manager (156) facilitates processing of the container image representation to either ascertain that the image is compliant based on a distance measurement to a closely represented image from the repository, or responsive to the container file vector representation being non-compliant, searches the library_(A) (162 _(A)) to identify a compliant vector representation that is close to the container image and assess proximity of the subject container image to the closest complaint image in the repository.

Based on the proximity assessment in the form of output from the first ANN, the NN manager (156) selectively leverages a second ANN to analyze the container image file by assessing efficiency of the container build. In an exemplary embodiment, the leveraging of the second ANN is selective and based on output of compliance from the first ANN. Aspects of the second ANN analysis and output are discussed in further detail in FIG. 3. The efficiency assessment by the NN manager (156) generates or outputs a context score related to the container build, with the context score corresponding to a risk associated with efficiency of the container build. In an embodiment, the context score is an aggregated risk score corresponding to build efficiency. Using the context score received from the second ANN, the NN manager (156) performs a risk assessment in the form of a comparison of the context score to a risk threshold, which in an embodiment is a configurable threshold. The container build is selectively provisioned in response to the comparison. Accordingly, the NN manager (156) selectively leverages the second ANN to assess efficiency of the container build.

The NN manager (156) further functions to subject the vector representation of the VM image to analysis by the second ANN. The analysis by the NN manager (156) produces a context score to the vector representation of the VM image, with the context score corresponding to a risk associated with the VM image with respect to mounting the VM. In an exemplary embodiment, the context score is referred to as a VM risk score. The NN manager (156) assesses the VM risk score with respect to a risk threshold, which in an embodiment is a configurable threshold, serving as an indicator directed at VM image compliance. The VM image is selectively subject to mounting on a physical machine based on the risk threshold assessment. Accordingly, the NN manager (156) the second ANN to determine and assess a risk associated with provisioning a VM.

In some illustrative embodiments, server (110) may be the IBM Watson® system available from International Business Machines Corporation of Armonk, N.Y., which is augmented with the mechanisms of the illustrative embodiments described hereafter. The filter manager (152), representation manager (154), and the NN manager (156), hereinafter referred to collectively as AI tools, are shown as being embodied in or integrated within the AI platform (150) of the server (110). In one embodiment, the AI tools may be implemented in a separate computing system (e.g., 190) that is connected across network (105) to the server (110). Wherever embodied, the AI tools function to risk assessment of a container build.

Types of information handling systems that can utilize the AI platform (150) range from small handheld devices, such as handheld computer/mobile telephone (180) to large mainframe systems, such as mainframe computer (182). Examples of handheld computer (180) include personal digital assistants (PDAs), personal entertainment devices, such as MP4 players, portable televisions, and compact disc players. Other examples of information handling systems include pen, or tablet computer (184), laptop, or notebook computer (186), personal computer system (188), and server (190). As shown, the various information handling systems can be networked together using computer network (105). Types of computer network (105) that can be used to interconnect the various information handling systems include Local Area Networks (LANs), Wireless Local Area Networks (WLANs), the Internet, the Public Switched Telephone Network (PSTN), other wireless networks, and any other network topology that can be used to interconnect the information handling systems. Many of the information handling systems include nonvolatile data stores, such as hard drives and/or nonvolatile memory. Some of the information handling systems may use separate nonvolatile data stores (e.g., server (190) utilizes nonvolatile data store (190 _(A)), and mainframe computer (182) utilizes nonvolatile data store (182 a). The nonvolatile data store (182 _(A)) can be a component that is external to the various information handling systems or can be internal to one of the information handling systems.

The information handling system employed to support the AI platform (150) may take many forms, some of which are shown in FIG. 1. For example, an information handling system may take the form of a desktop, server, portable, laptop, notebook, or other form factor computer or data processing system. In addition, an information handling system may take other form factors such as a personal digital assistant (PDA), a gaming device, ATM machine, a portable telephone device, a communication device or other devices that include a processor and memory. In addition, the information handling system may embody the north bridge/south bridge controller architecture, although it will be appreciated that other architectures may also be employed.

An Application Program Interface (API) is understood in the art as a software intermediary between two or more applications. With respect to the artificial intelligence platform (150) shown and described in FIG. 1, one or more APIs may be utilized to support one or more of the tools (152), (154), and (156) and their associated functionality. Referring to FIG. 2, a block diagram (200) is provided illustrating the tools (152), (154), and (156) and their associated APIs. As shown, a plurality of tools are embedded within the artificial intelligence platform (205), with the tools including the filter manager (252) associated with API₀ (212), the representation manager (254) associated with API₁ (222), and the NN manager (256) associated with API₂ (232). Each of the APIs may be implemented in one or more languages and interface specifications.

As shown, API₀ (212) provides functional support to receive a provisioning file, such as a container image file or a VM image file. API₁ (222) provides functional support to convert the segments of the provisioning file that remain after filtering into one or more vector representations. API₂ (232) provides functional support to subject the vector representation of the container file to analysis by an ANN, which in an embodiment is directed at efficiency corresponding with mounting the provisioning file. As shown, each of the APIs (212), (222), and (232) are operatively coupled to an API orchestrator (260), otherwise known as an orchestration layer, which is understood in the art to function as an abstraction layer to transparently thread together the separate APIs. In one embodiment, the functionality of the separate APIs may be joined or combined. As such, the configuration of the APIs shown herein should not be considered limiting. Accordingly, as shown herein, the functionality of the tools may be embodied or supported by their respective APIs.

Referring to FIG. 3, a flow chart (300) is provided illustrating a process for providing a risk assessment associated with provisioning by analyzing both code and metadata of a corresponding provisioning file using natural language processing (NLP). As shown, a provisioning file, is received or otherwise ascertained (302). A determination is made whether the received provisioning file is a container file, also referred to herein as a metadata file, associated with a container image build (304). A negative response to the determination indicates that the provisioning file is a VM image file and VM image file is processed as shown and described in FIG. 5 (306). Following a positive response to the determination but before building the container is commenced, the metadata file is subject to at least a two part analysis. The first part of the analysis is directed at segmentation of the provisioning file where different elements, including image layers within the container build, of the file are identified and separated (308). In an embodiment, the segmentation may be in the form of software code to identify elements within the container file that are subject to processing. For example, the image layer is directed at an intermediate change of an image. Every command, such as Run, Copy, From, etc., in the container file causes a previous image to change, thereby creating a new layer. A change made to the container file will result in building only the layer that was changed and subsequent layers, and the layer(s) preceding the changed layer and subsequent layers may be identified by the filter and as such not subject to analysis by the first and second ANNs. Following the segmentation, the identified elements and their corresponding image layers in the various segments are subject to a filter (310) to effectively remove pre-approved or non-functional segmented elements from the second part of the analysis. For example, in an exemplary embodiment, comments and known dependencies, such as pre-approved libraries, are identified by the filter or filtering process at step (310), and effectively removed from further analysis of the container file. Accordingly, the initial analysis of the provisioning file is directed at segmentation and filtering to remove pre-approved or non-functional aspects of the file from further risk assessment analysis, which in an embodiment is a complex analysis of the provisioning file.

Following step (310), the segments of the provisioning file and the corresponding image layers that remain after filtering, are converted into one or more vector representations (312). In an exemplary embodiment, the vector representations of the provisioning file are combined or otherwise converted into a single, and in an embodiment extended, vector representation. The vector representation of the provisioning file is stored in a repository (314), such as knowledge base (160). In an embodiment, the repository stores both compliant and non-compliant vector representations of provisioning files. In an exemplary embodiment, an identifier is assigned to each of the vector representations in the repository to indicate complaint and non-compliant representations. Similarly, in an embodiment, the repository is populated with libraries or data structures, with vector representations assigned to a corresponding library or data structure based on the indication of a compliant or non-compliant representation. The vector representation of the provisioning file is subject to analysis by an artificial neural network (ANN), also referred to herein as a first ANN, (316). The first ANN functions as a first level of assessment to ensure that the container or VM file has at least a minimum level of compliance. It is understood in the art that the ANN is subject to training on data. In an embodiment, the first ANN is trained on the vector representations in the repository. The first ANN analysis is directed at a similarity analysis of the input vector to existing vectors in the repository. The analysis by the first ANN compares the received vector representation of the provisioning file to the vector representations in the repository, including both compliant and non-compliant vectors.

In an exemplary embodiment, the first ANN is referred to herein as a Twin Neural Network (TNN), which is a class of neural network architecture that contains two or more identical sub-networks, where each sub-network has the same configuration with the same parameters and weights. The TNN is trained on the vector representations in the repository. Parameter updating is mirrored across both sub-networks. The TNN sub-networks work in tandem on two different input vectors to compute comparable output vectors. In an exemplary embodiment, one sub-network assesses the vector representation of the provisioning file in view of vector representations in the repository identified as compliant and the other sub-network assesses the vector representation of the provisioning file in view of vector representations in the repository identified as non-compliant. Accordingly, the TNN sub-networks compare the vector representation(s) of the provisioning file with vector representations of the repository to determine compliance of the provisioning file, e.g. metadata file.

As shown and described above, the analysis at step (316) is a vector analysis between the provisioning file representation and the vectors stored in the repository. In an exemplary embodiment, the analysis at step (316) includes a cosine similarity measurement between two vectors. Similarity is based on the feature vector representing the provisioning file. Part of the analysis at step (316) is assessing a distance measurement between two vectors, which in an embodiment is a Euclidean distance. The TNN sub-networks conduct the assessment in parallel to identify and return a vector from the repository that is closest to the provisioning file representation (318). The compliance identity of the identified vector may be revealed based on its assigned library or data structure, or in an embodiment based on its identifier designating the identified vector as compliant or non-compliant. Accordingly, the first ANN conducts an assessment and identifies a vector from the repository closest to the provisioning file representation.

Following the identification of the closest vector at step (318), it is determined whether the identified closest vector is a compliant vector, which in an exemplary embodiment is based on the vector identifier or placement of the vector within the repository (320). A positive response to the determination indicates that the provisioning file is compliant and proceeds to step (332). In an embodiment, a compliant identifier is assigned or otherwise associated with the representation of the container file in the repository. A negative response to the determination indicates that the provisioning file vector representation is most similar to a non-compliant vector and the container build likely contains an error and will not be executed (322). In an embodiment, a non-compliant identifier is assigned or otherwise associated with the representation of the container file in the repository. To mitigate or avoid an error associated with the non-compliant vector identification, the first ANN identifies a compliant vector representation that is closest to the provisioning file representation (324), although in an embodiment, this identification may not be the closest vector. In an exemplary embodiment, the identification at step (324) is limited to those vector representations in the repository designated as compliant representations, and is referred to herein as the closest compliant vector representation. The identification at step (324) is followed by a distance assessment, and more specifically it is ascertained whether the measured distance between the provisioning file vector representation and the closest compliant vector representation, as identified at step (324), is below a distance threshold (326). The distance threshold is a similarity threshold wherein the measured distance between two vectors is below the threshold is an indication that the vectors are similar or within a similarity range. A positive response to the determination at step (326) indicates that the identified vector is deemed or considered similar (328). A negative response to the determination at step (326) indicates that the vector identified at step (324) as the closest is not similar or similar enough to the provisioning file vector representation, and that there is no compliant vector representation in the repository similar to the provisioning file representation. The negative response to the determination at step (324) is followed by abandonment of the container build (330). Accordingly, responsive to a determination that the closest vector to the provisioning file vector representation is non-compliant, the closest compliant vector in the repository is identified and a similarity assessment is performed.

Following either step (328) or a positive response to the determination at step (320) the provisioning file representation is analyzed by a second ANN to assess efficiency of the container build (332). In an exemplary embodiment the second ANN is a trained natural language processing (NLP) model such as a recurrent neural network (RNN) or a Bidirectional Encoder Representations from Transfers (BERT). The RNN is a class of ANNs which use sequential data or time series data, and are commonly used to resolve ordinal or temporal problems, such as language translation, NLP, speech recognition, and image captioning. In an exemplary embodiment, connections between artificial neurons in the RNN form a directed graph along a temporal sequence, allowing the RNN to exhibit temporal dynamic behavior. The BERT, referred to herein as a transformer, is a type of NLP learning strategy in which deep neural networks utilize bidirectional models with unsupervised language representation. The BERT neural network is a contextual language representation model built on a multilayer bidirectional transformer encoder that learns context of a word based on all of its surroundings.

The second ANN, whether in the form of the RNN or the transformer, generates a context score to the container build vector representation, with the context score corresponding to a risk associated with efficiency of the container build with respect to build time (334). In an embodiment, the context score is an aggregated risk score corresponding to build efficiency. Using the context score received from the second ANN, a risk assessment is conducted to determine risk associated with the container build (336). As shown by way of example, the risk assessment is in the form of a comparison of the context score to a threshold, which in an embodiment is a configurable threshold. A determination at step (336) indicating that the container build is efficient to build is followed by deployment of the container to its target environment for executing the container build (338). Similarly, a determination at step (336) indicating that the container build is inefficient is an indication that the container deployment is a risk, e.g. a high risk, and is followed by abandonment of the container build (330). Accordingly, the container build is selectively executed based on the container file vector representation analysis by the second ANN.

Referring to FIG. 4, a sample container build file (400) is provided illustrating a non-compliant metadata file. As shown and described, a container build file (410) is provided. Natural language processing (NLP) is applied to analyze the container build file. As shown and described in FIG. 3, the initial analysis is conducted by segmenting and filtering the container build file. In the example file shown herein, the segmentation and filtering identifies private keys to access data (420) in the container build file. As shown and described in FIG. 3, the first ANN functions as a first level of assessment to ensure that the container or VM file has at least a minimum level of compliance. Identification of non-compliance may arise in different forms, such as, but not limited to, commands that call to download uncertified data, commands that run custom built non-certified libraries, commands that share a private key, commands that require non-reproducible builds regarding dependencies, commands that layer caching, etc., in the container build file. With respect to the example container build file (410), the presence of private keys in the container build file results in a classification of the file as non-compliant since access to the data is restricted by the private keys. The issue associated with the detection of the private key is that it is an extra layer of authentication required, so it is not viable for the container build. Accordingly, segmentation and filtering is applied to the container file to assess the file compliance.

One or more aspects of the process shown and described in FIG. 3 are directed at providing a risk assessment to a container build may be applied to compliance assessment of virtual machine (VM) images. Referring to FIG. 5, a flow chart (500) is provided for illustrating a risk assessment directed at a VM image. Mounting is a process by which the operating system makes files and directories on a storage device available for access via the computer's file system. With respect to the VM, files on a mapped virtual machine can read from or write to a disk, once the VM is mounted. As shown and described, an offline VM image that may be mountable on a host operating system is received and mounted to an operating system with a compatible filesystem (502). The VM is stored as a VM image, also referred to herein as a VM image file, using one or more image file formats. The VM image file may include system files, data files, and file system information associated with the VM. Different image file formats are known in the art and may be utilized to store the VM image files. Examples of such formats include, but are not limited to, VMware's VMDK (Virtual Machine Disk Format), Microsoft's VHD (Virtual Hard Disk). virtual machine disk format (VMDK), virtual hard disk (VHD), and open virtualization format (OVF). The file system information associated with the VM image file is saved as a text file (504) and the text file is converted into a VM image vector representation (506). Similar to FIG. 3, vector representations are stored in a repository (508). In an embodiment, the repository stores both compliant and non-compliant vector representations of VM images. The compliant vector representations include both industry related compliance as well as specific enterprise compliance. In an exemplary embodiment, an identifier is assigned to each of the vector representations in the repository to indicate complaint and non-compliant representations. Accordingly, the vector representation of the VM image is created and leveraged for a compliance assessment.

Similar to FIG. 3 at step (328), the vector representation of the VM image is subject to analysis by the second ANN (510), which in an embodiment is a trained natural language processing (NLP) model such as a recurrent neural network (RNN) or a Bidirectional Encoder Representations from Transfers (BERT). The analysis by the second ANN generates output in the form of a context score to the vector representation of the VM image, with the context score corresponding to a risk associated with the VM image with respect to mounting the VM, also referred to herein as a VM risk score (512). A determination is then made whether the VM risk score associated with the VM is below a risk threshold (514). A positive response to the determination indicates that the VM is compliant and the VM image is mounted on a physical machine (516). A negative response to the determination at step (516) indicates that the risk associated with mounting the VM exceeds the threshold and the VM image is not subject to mounting on a physical machine (518). Accordingly, the analysis shown herein leverages the second ANN and associated output to direct provisioning a VM.

Aspects of optimizing workload scheduling and provisioning in a distributed shared resource environment are shown and described with the tools and APIs shown in FIGS. 1 and 2, respectively, and the processes shown in FIGS. 3, 4, and 5. Aspects of the functional tools (152), (154), and (156) and their associated functionality may be embodied in a computer system/server in a single location, or in one embodiment, may be configured in a cloud-based system sharing computing resources. With references to FIG. 6, a block diagram (600) is provided illustrating an example of a computer system/server (602), hereinafter referred to as a host (602) in communication with a cloud-based support system, to implement the processes described above with respect to FIGS. 3, 4, and 5. Host (602) is operational with numerous other general purpose or special purpose computing system environments or configurations. Examples of well-known computing systems, environments, and/or configurations that may be suitable for use with host (602) include, but are not limited to, personal computer systems, server computer systems, thin clients, thick clients, hand-held or laptop devices, multiprocessor systems, microprocessor-based systems, set top boxes, programmable consumer electronics, network PCs, minicomputer systems, mainframe computer systems, and file systems (e.g., distributed storage environments and distributed cloud computing environments) that include any of the above systems, devices, and their equivalents.

Host (602) may be described in the general context of computer system-executable instructions, such as program modules, being executed by a computer system. Generally, program modules may include routines, programs, objects, components, logic, data structures, and so on that perform particular tasks or implement particular abstract data types. Host (602) may be practiced in distributed cloud computing environments (610) where tasks are performed by remote processing devices that are linked through a communications network. In a distributed cloud computing environment, program modules may be located in both local and remote computer system storage media including memory storage devices.

As shown in FIG. 6, host (602) is shown in the form of a general-purpose computing device. The components of host (602) may include, but are not limited to, one or more processors or processing units (604), e.g. hardware processors, a system memory (606), and a bus (608) that couples various system components including system memory (606) to processing unit (604). Bus (608) represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. By way of example, and not limitation, such architectures include Industry Standard Architecture (ISA) bus, Micro Channel Architecture (MCA) bus, Enhanced ISA (EISA) bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnects (PCI) bus. Host (602) typically includes a variety of computer system readable media. Such media may be any available media that is accessible by host (602) and it includes both volatile and non-volatile media, removable and non-removable media.

Memory (606) can include computer system readable media in the form of volatile memory, such as random access memory (RAM) (630) and/or cache memory (632). By way of example only, storage system (634) can be provided for reading from and writing to a non-removable, non-volatile magnetic media (not shown and typically called a “hard drive”). Although not shown, a magnetic disk drive for reading from and writing to a removable, non-volatile magnetic disk (e.g., a “floppy disk”), and an optical disk drive for reading from or writing to a removable, non-volatile optical disk such as a CD-ROM, DVD-ROM or other optical media can be provided. In such instances, each can be connected to bus (608) by one or more data media interfaces.

Program/utility (640), having a set (at least one) of program modules (642), may be stored in memory (606) by way of example, and not limitation, as well as an operating system, one or more application programs, other program modules, and program data. Each of the operating systems, one or more application programs, other program modules, and program data or some combination thereof, may include an implementation of a networking environment. Program modules (642) generally carry out the functions and/or methodologies of embodiments to assess and manager provisioning and mounting of containers and virtual machines in a distributed shared resource environment. For example, the set of program modules (642) may include the tools (152), (154), and (156) as described in FIG. 1.

Host (602) may also communicate with one or more external devices (614), such as a keyboard, a pointing device, etc.; a display (624); one or more devices that enable a user to interact with host (602); and/or any devices (e.g., network card, modem, etc.) that enable host (602) to communicate with one or more other computing devices. Such communication can occur via Input/Output (I/O) interface(s) (622). Still yet, host (602) can communicate with one or more networks such as a local area network (LAN), a general wide area network (WAN), and/or a public network (e.g., the Internet) via network adapter (620). As depicted, network adapter (620) communicates with the other components of host (602) via bus (608). In one embodiment, a plurality of nodes of a distributed file system (not shown) is in communication with the host (602) via the I/O interface (622) or via the network adapter (620). It should be understood that although not shown, other hardware and/or software components could be used in conjunction with host (602). Examples, include, but are not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data archival storage systems, etc.

In this document, the terms “computer program medium,” “computer usable medium,” and “computer readable medium” are used to generally refer to media such as main memory (606), including RAM (630), cache (632), and storage system (634), such as a removable storage drive and a hard disk installed in a hard disk drive.

Computer programs (also called computer control logic) are stored in memory (606). Computer programs may also be received via a communication interface, such as network adapter (620). Such computer programs, when run, enable the computer system to perform the features of the present embodiments as discussed herein. In particular, the computer programs, when run, enable the processing unit (604) to perform the features of the computer system. Accordingly, such computer programs represent controllers of the computer system.

In one embodiment, host (602) is a node of a cloud computing environment. As is known in the art, cloud computing is a model of service delivery for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, network bandwidth, servers, processing, memory, storage, applications, virtual machines, and services) that can be rapidly provisioned and released with minimal management effort or interaction with a provider of the service. This cloud model may include at least five characteristics, at least three service models, and at least four deployment models. Example of such characteristics are as follows:

On-demand self-service: a cloud consumer can unilaterally provision computing capabilities, such as server time and network storage, as needed automatically without requiring human interaction with the service's provider.

Broad network access: capabilities are available over a network and accessed through standard mechanisms that promote use by heterogeneous thin or thick client platforms (e.g., mobile phones, laptops, and PDAs).

Resource pooling: the provider's computing resources are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to demand. There is a sense of location independence in that the consumer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher layer of abstraction (e.g., country, state, or datacenter).

Rapid elasticity: capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out and rapidly released to quickly scale in. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time.

Measured service: cloud systems automatically control and optimize resource use by leveraging a metering capability at some layer of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported providing transparency for both the provider and consumer of the utilized service.

Service Models are as follows:

Software as a Service (SaaS): the capability provided to the consumer is to use the provider's applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.

Platform as a Service (PaaS): the capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including networks, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations.

Infrastructure as a Service (IaaS): the capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).

Deployment Models are as follows:

Private cloud: the cloud infrastructure is operated solely for an organization. It may be managed by the organization or a third party and may exist on-premises or off-premises.

Community cloud: the cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or a third party and may exist on-premises or off-premises.

Public cloud: the cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.

Hybrid cloud: the cloud infrastructure is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds).

A cloud computing environment is service oriented with a focus on statelessness, low coupling, modularity, and semantic interoperability. At the heart of cloud computing is an infrastructure comprising a network of interconnected nodes.

Referring now to FIG. 7, an illustrative cloud computing network (700). As shown, cloud computing network (700) includes a cloud computing environment (750) having one or more cloud computing nodes (710) with which local computing devices used by cloud consumers may communicate. Examples of these local computing devices include, but are not limited to, personal digital assistant (PDA) or cellular telephone (754A), desktop computer (754B), laptop computer (754C), and/or automobile computer system (754N). Individual nodes within nodes (710) may further communicate with one another. They may be grouped (not shown) physically or virtually, in one or more networks, such as Private, Community, Public, or Hybrid clouds as described hereinabove, or a combination thereof. This allows cloud computing environment (700) to offer infrastructure, platforms and/or software as services for which a cloud consumer does not need to maintain resources on a local computing device. It is understood that the types of computing devices (754A-N) shown in FIG. 7 are intended to be illustrative only and that the cloud computing environment (750) can communicate with any type of computerized device over any type of network and/or network addressable connection (e.g., using a web browser).

Referring now to FIG. 8, a set of functional abstraction layers (800) provided by the cloud computing network of FIG. 7 is shown. It should be understood in advance that the components, layers, and functions shown in FIG. 8 are intended to be illustrative only, and the embodiments are not limited thereto. As depicted, the following layers and corresponding functions are provided: hardware and software layer (810), virtualization layer (820), management layer (830), and workload layer (840).

The hardware and software layer (810) includes hardware and software components. Examples of hardware components include mainframes, in one example IBM® zSeries® systems; RISC (Reduced Instruction Set Computer) architecture based servers, in one example IBM pSeries® systems; IBM xSeries® systems; IBM BladeCenter® systems; storage devices; networks and networking components. Examples of software components include network application server software, in one example IBM WebSphere® application server software; and database software, in one example IBM DB2® database software. (IBM, zSeries, pSeries, xSeries, BladeCenter, WebSphere, and DB2 are trademarks of International Business Machines Corporation registered in many jurisdictions worldwide).

Virtualization layer (820) provides an abstraction layer from which the following examples of virtual entities may be provided: virtual servers; virtual storage; virtual networks, including virtual private networks; virtual applications and operating systems; and virtual clients.

In one example, management layer (830) may provide the following functions: resource provisioning, metering and pricing, user portal, service layer management, and SLA planning and fulfillment. Resource provisioning provides dynamic procurement of computing resources and other resources that are utilized to perform tasks within the cloud computing environment. Metering and pricing provides cost tracking as resources are utilized within the cloud computing environment, and billing or invoicing for consumption of these resources. In one example, these resources may comprise application software licenses. Security provides identity verification for cloud consumers and tasks, as well as protection for data and other resources. User portal provides access to the cloud computing environment for consumers and system administrators. Service layer management provides cloud computing resource allocation and management such that required service layers are met. Service Layer Agreement (SLA) planning and fulfillment provides pre-arrangement for, and procurement of, cloud computing resources for which a future requirement is anticipated in accordance with an SLA.

Workloads layer (840) provides examples of functionality for which the cloud computing environment may be utilized. Examples of workloads and functions which may be provided from this layer include, but are not limited to: mapping and navigation; software development and lifecycle management; virtual classroom education delivery; data analytics processing; transaction processing; and risk assessment of a container build and mounting of a VM image.

While particular embodiments of the present embodiments have been shown and described, it will be obvious to those skilled in the art that, based upon the teachings herein, changes and modifications may be made without departing from the embodiments and its broader aspects. Therefore, the appended claims are to encompass within their scope all such changes and modifications as are within the true spirit and scope of the embodiments. Furthermore, it is to be understood that the embodiments are solely defined by the appended claims. It will be understood by those with skill in the art that if a specific number of an introduced claim element is intended, such intent will be explicitly recited in the claim, and in the absence of such recitation no such limitation is present. For a non-limiting example, as an aid to understanding, the following appended claims contain usage of the introductory phrases “at least one” and “one or more” to introduce claim elements. However, the use of such phrases should not be construed to imply that the introduction of a claim element by the indefinite articles “a” or “an” limits any particular claim containing such introduced claim element to embodiments containing only one such element, even when the same claim includes the introductory phrases “one or more” or “at least one” and indefinite articles such as “a” or “an”; the same holds true for the use in the claims of definite articles.

The present embodiments may be a system, a method, and/or a computer program product. In addition, selected aspects of the present embodiments may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and/or hardware aspects that may all generally be referred to herein as a “circuit,” “module” or “system.” Furthermore, aspects of the present embodiments may take the form of computer program product embodied in a computer readable storage medium (or media) having computer readable program instructions thereon for causing a processor to carry out aspects of the present embodiments. Thus embodied, the disclosed system, a method, and/or a computer program product are operative to improve the functionality and operation of risk assessment of a container build.

The computer readable storage medium can be a tangible device that can retain and store instructions for use by an instruction execution device. The computer readable storage medium may be, for example, but is not limited to, an electronic storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing. A non-exhaustive list of more specific examples of the computer readable storage medium includes the following: a portable computer diskette, a hard disk, a dynamic or static random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), a magnetic storage device, a portable compact disc read-only memory (CD-ROM), a digital versatile disk (DVD), a memory stick, a floppy disk, a mechanically encoded device such as punch-cards or raised structures in a groove having instructions recorded thereon, and any suitable combination of the foregoing. A computer readable storage medium, as used herein, is not to be construed as being transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through a waveguide or other transmission media (e.g., light pulses passing through a fiber-optic cable), or electrical signals transmitted through a wire.

Computer readable program instructions described herein can be downloaded to respective computing/processing devices from a computer readable storage medium or to an external computer or external storage device via a network, for example, the Internet, a local area network, a wide area network and/or a wireless network. The network may comprise copper transmission cables, optical transmission fibers, wireless transmission, routers, firewalls, switches, gateway computers and/or edge servers. A network adapter card or network interface in each computing/processing device receives computer readable program instructions from the network and forwards the computer readable program instructions for storage in a computer readable storage medium within the respective computing/processing device.

Computer readable program instructions for carrying out operations of the present embodiments may be assembler instructions, instruction-set-architecture (ISA) instructions, machine instructions, machine dependent instructions, microcode, firmware instructions, state-setting data, or either source code or object code written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C++ or the like, and conventional procedural programming languages, such as the “C” programming language or similar programming languages. The computer readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server or cluster of servers. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider). In some embodiments, electronic circuitry including, for example, programmable logic circuitry, field-programmable gate arrays (FPGA), or programmable logic arrays (PLA) may execute the computer readable program instructions by utilizing state information of the computer readable program instructions to personalize the electronic circuitry, in order to perform aspects of the present embodiments.

Aspects of the present embodiments are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer readable program instructions.

These computer readable program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks. These computer readable program instructions may also be stored in a computer readable storage medium that can direct a computer, a programmable data processing apparatus, and/or other devices to function in a particular manner, such that the computer readable storage medium having instructions stored therein comprises an article of manufacture including instructions which implement aspects of the function/act specified in the flowchart and/or block diagram block or blocks.

The computer readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other device to cause a series of operational steps to be performed on the computer, other programmable apparatus or other device to produce a computer implemented process, such that the instructions which execute on the computer, other programmable apparatus, or other device implement the functions/acts specified in the flowchart and/or block diagram block or blocks.

The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of the present embodiments. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts or carry out combinations of special purpose hardware and computer instructions.

It will be appreciated that, although specific embodiments have been described herein for purposes of illustration, various modifications may be made without departing from the spirit and scope of the embodiments. In particular, natural language processing may be carried out by different computing platforms or across multiple devices. Accordingly, the scope of protection of the embodiments is limited only by the following claims and their equivalents. 

What is claimed is:
 1. A computer system comprising: a processor operatively coupled to memory; and an artificial intelligence (AI) platform in communication with the processor and the memory, the AI platform comprising: a representation manager configured to employ natural language processing (NLP) to convert a received metadata file associated with provisioning into one or more vector representations; a neural network manager configured to identify a subject of the provisioning and selectively leverage a first artificial neural network (ANN) responsive to the identified subject, the selective leverage including the first ANN to assign a first score to each of the one or more vector representations, the first score to convey a compliance factor corresponding to operability of the one or more vector representations; a neural network manager configured to selectively leverage a second ANN responsive to the first score assignment from the first ANN, the second ANN configured to assign a second score to the representation of the received metadata file, wherein the second score corresponds to provisioning efficiency; and the processor to selectively provision the container or VM responsive to the second score.
 2. The computer system of claim 1, wherein the first score assignment further comprises the first ANN to identify a stored vector representation proximal to the metadata file and measure a distance between the stored vector representation and the metadata file representation, and wherein the first score assignment is based on the measured distance.
 3. The computer system of claim 2, further comprising responsive to the first score associated with the one or more stored vector representations exceeding a risk threshold, the first ANN configured to identify a stored compliant vector representation closest to the metadata file and measure the distance between the identified stored compliant vector representation and the metadata file, and wherein the selective leveraging of the second ANN is based on the distance measurement.
 4. The computer system of claim 2, wherein the provisioning is a VM, and further comprising: the representation manager to convert a VM image file into one or more VM vector representations; the neural network manager to evaluate the one or more VM vector representations against the second ANN, the second ANN configured to generate a context score, wherein the context score corresponds to a risk associated with mounting the VM; and the processor to selectively mount the VM responsive to the context score.
 5. The computer system of claim 1, wherein the first score functions as a compliance indicator of the received metadata file, and the second score functions as a provisioning indicator.
 6. The computer system of claim 1, wherein the provisioning is a container build, and further comprising the representation manager configured to convert container image layers within the image container build into one or more image layer vector representations, and assign the first score to each of the one or more image layer vector representations.
 7. A computer program product comprising: a computer readable storage device; and program code embodied with the computer readable storage device, the program code executable by a processor to: employ natural language processing (NLP) to convert a received metadata file associated with provisioning into one or more vector representations; identify a subject of the provisioning, and responsive to the identification to selectively leverage a first artificial neural network (ANN) to assign a first score to each of the one or more vector representations, the first score conveying a compliance factor corresponding to operability of the one or more vector representations; selectively leverage a second ANN responsive to the first score assignment from the first ANN, the second ANN assigning a second score to the representation of the received metadata file, wherein the second score corresponds to provisioning efficiency; and selectively provision the container or VM responsive to the assigned second score.
 8. The computer program product of claim 7, wherein assignment of the first score further comprises the program code to identify a stored vector representation proximal to the metadata file and measure a distance between the stored vector representation and the metadata file representation, and wherein the first score assignment is based on the measured distance.
 9. The computer program product of claim 8, further comprising responsive to the first score associated with the one or more stored vector representations exceeding a risk threshold, the first ANN configured to identify a stored compliant vector representation closest to the metadata file and measure the distance between the identified stored compliant vector representation and the metadata file, and wherein the program code to selectively leverage the second ANN is based on the distance measurement.
 10. The computer program product of claim 8, wherein the provisioning is the VM, and further comprising program code to: convert a VM image file into one or more VM vector representations; evaluate the one or more VM vector representations against the second ANN, the second ANN configured to generate a context score, wherein the context score corresponds to a risk associated with mounting the VM; and selectively mount the VM responsive to the context score.
 11. The computer program product of claim 7, wherein the first score functions as a compliance indicator of the received metadata file, and the second score functions as a provisioning indicator.
 12. The computer program product of claim 7, wherein the provisioning is a container build, and further comprising converting container image layers within the image container build into one or more image layer vector representations, and assigning the first score to each of the one or more image layer vector representations.
 13. A computer-implemented method comprising: employing natural language processing (NLP), converting a received metadata file associated with provisioning into one or more vector representations; identifying a subject of the provisioning, and responsive to the identification selectively leveraging a first artificial neural network (ANN) to assign a first score to each of the one or more vector representations, the first score conveying a compliance factor corresponding to operability of the one or more vector representations; selectively leveraging a second ANN responsive to the first score assignment from the first ANN, the second ANN assigning a second score to the representation of the received metadata file, wherein the second score corresponds to provisioning efficiency; and selectively provisioning the container or VM responsive to the assigned second score.
 14. The method of claim 13, wherein assigning the first score further comprising identifying a stored vector representation proximal to the metadata file and measuring a distance between the stored vector representation and the metadata file representation, and wherein the first score assignment is based on the measured distance.
 15. The method of claim 14, further comprising responsive to determining that the first score associated with the one or more stored vector representations exceeds a risk threshold, the first ANN identifying a stored compliant vector representation closest to the metadata file and measuring the distance between the identified stored compliant vector representation and the metadata file, and wherein the selective leveraging of the second ANN is based on the distance measurement.
 16. The method of claim 14, wherein the provisioning is the VM, and further comprising: converting a VM image file into one or more VM vector representations; evaluating the one or more VM vector representations against the second ANN, the second ANN generating a context score, wherein the context score corresponds to a risk associated with mounting the VM; and selectively mounting the VM responsive to the context score.
 17. The method of claim 13, wherein the first score functions as a compliance indicator of the received metadata file, and the second score functions as a provisioning indicator.
 18. The method of claim 13, wherein the provisioning is a container build, and further comprising converting container image layers within the image container build into one or more image layer vector representations, and assigning the first score to each of the one or more image layer vector representations. 